Transcript of "Emerging cyber threats_report2012"

2.
INTRODUCTIONCollaborative research, education and awarenessare required to battle advanced and large-scale botnetattacks, mobile application exploits, and manipulation ofonline information.In the past year, we have witnessed cyber attacks of improving human life on a global scale. As a leaderunprecedented sophistication and reach. These attacks in cyber security research, Georgia Tech continues todemonstrate that malicious actors have the ability to com- develop novel, impactful solutions to important problems.promise and control millions of computers that belong to Atlanta is a major hub for cyber security, and many secu-governments, private enterprises and ordinary citizens. If rity companies rely on innovation, expertise and talentwe are going to prevent motivated adversaries from attack- from Georgia Tech.ing our systems, stealing our data and harming our criticalinfrastructure, the broader community of security research- Our desire for broader engagement, cooperation anders—including academia, the private sector and govern- interaction with key stakeholders is necessary for combat-ment—must work together to understand emerging threats ing the large-scale threats we face today and keepingand to develop proactive security solutions to safeguard pace with constantly evolving malware. In addition, per-the Internet and physical infrastructure that relies on it. vasive mobile application adoption and increasing attacks on our ability to access online information require objec-Georgia Tech’s annual Cyber Security Summit on Oct. 11, tive, truth-driven research to ensure integrity and trustwor-2011 provides an opportunity for security experts from thiness of information and interactions on the Internet.industry, academia and government to come togetherand explore the challenges we face in securing cyber and Research projects in all these areas are currently under-cyber-connected physical systems. By seeking to engage a way at Georgia Tech. Further leveraging in-housebroader audience, Georgia Tech remains at the center of research and expertise, Georgia Tech compiled the fol-efforts to develop new technologies and strategies that are lowing Emerging Cyber Threats Report, which includeseffective against sophisticated cyber attacks. insight and analysis from a variety of experts from the IT security industry, government and academia. The ReportThe Georgia Institute of Technology is one of the nation’s and the Summit provide an open forum for discussionleading public research universities. Groundbreaking of emerging threats, their potential impact and counter-research is underway in dozens of labs across cam- measures for containing them. After the summit, we invitepus and the Georgia Tech Research Institute (GTRI). you to learn more about our work in cyber security andThese efforts are focused on producing technology and engage with our experts to understand and address theinnovation that will help drive economic growth, while challenges we face in securing cyber space. — Mustaque Ahamad, director, GTISC — Bo Rotoloni, director, Cyber Technology and Information Security Laboratory at GTRI2 GEORGIA TECH CYBER SECURITY SUMMIT 2011

3.
The Mobile Threat Vector—managing tensions betweenusability, security and scaleHighlights: on to confirm the safety of their online location. If a user does clickn Mobile applications rely increasingly on the browser, a malicious link on a mobile device, it becomes easier to obfuscate presenting unique challenges to security in terms of usability the attack since the Web address bar is not visible. and scale. The varied existence of SSL icons on mobile browsers can alson Expect compound threats targeting mobile devices to use contribute to successful exploitation. “If you’re a security expert SMS, e-mail and the mobile Web browser to launch an and you want to see the SSL certificates for a site from your mobile attack, then silently record and steal data. phone browser, it is extremely difficult to find that information—ifn While USB flash drives have long been recognized for their it’s there at all,” said Traynor. “And if a security expert can’t verify ability to spread malware, mobile phones are becoming a a connection and a certificate, how do we expect the average user new vector that could introduce attacks on otherwise-pro- to avoid compromise?” tected systems Understandably, display security on mobile browsers is not asn Encapsulation and encryption for sensitive portions of a advanced as the desktop either. The way elements are laid out mobile device can strengthen security. on a page and the actions that take place when a user touches something are all opportunities to embed an attack. According to Traynor, mobile browsers are more susceptible to attacks launched just by touching the display. For example, attackers will lure usersMobile browsers present a unique challenge. with attractive display content, hiding their malicious link under-When it comes to securing mobile phones from emerging threats, neath a perfectly legitimate image. Once a user clicks on thatscale, usability and device constraints present some interesting image, it gives the attackers the ability to spy on the user andchallenges. The mobile phenomenon is still gaining momentum, redirect them to a malicious payload.with four billion mobile phones in use around the world and mobileInternet expected to outpace desktop Internet usage by 2014.1Today, even less expensive mobile phones come with some form Mobile devices do not commonly receiveof Web browser, representing a major vulnerability that can be patches and updates.exploited by existing and emerging threats. Dan Kuykendall, co-CEO and Chief Technology Officer for NT“Mobile applications are increasingly reliant on the browser,” said OBJECTives also worries about threats targeting mobile applica-Patrick Traynor, GTISC researcher and assistant professor at the tions and mobile browsers. “One of the biggest problems withGeorgia Tech School of Computer Science. “As a result, we expect mobile browsers is that they never get updated,” he said. “For mostmore Web-based attacks against mobile devices to be launched in users, their operating system (OS) and mobile browser is the samethe coming year.” as it was on the phone’s manufacture date. That gives the attackers a big advantage.”Tension between usability and security, along with device con-straints make it difficult to solve mobile Web browser security flaws. While computers can be manually configured not to trust compro-“The mobile vector requires special consideration when it comes to mised certificates or can receive a software patch in a matter of days,security,” said Traynor. “We still need to explore the significant dif- it can take months to remediate the same threat on mobile devices—ferences between mobile browsers and traditional desktop brows- leaving mobile users vulnerable in the meantime. The software indus-ers to fully understand the potential of emerging threats.” try needs to modify the current patch and update model to integrate mobile devices for more complete coverage.Traynor cites small screen size as just one of many device-relatedchallenges to mobile security. Small screens can make vulnerabili- Kuykendall thinks emerging threats to mobile devices will expandties more serious and present attackers with an opportunity. For and develop rapidly, similar to the explosion in Web applicationexample, users on a mobile browser will not see the Web address vulnerabilities and threats witnessed several years ago. “To keepbar for very long. To enhance usability, the address bar disap- pace with market demand, the applications are being developedpears above the screen so that more of the page content can be too quickly. Therefore, developers and QA teams are not validat-displayed. But this also removes many of the visual cues users rely ing the data as aggressively as they should,” said Kuykendall. CONTINUED ON NEXT PAGE1 Source: http://www.digitalbuzzblog.com/2011-mobile-statistics-stats-facts-marketing-infographic/ E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 3

4.
The Mobile Threat Vector“They aren’t expecting attacks to come from other phones, which is “Mobile phones are already equipped with cameras that could bealready happening, and they don’t fully recognize the vulnerabili- used for facial recognition or iris detection, and microphones forties present in the back end of all the mobile applications.” voice detection,” Schutzer said. “These technologies can strengthen user and device authentication and augment security practices.”Kuykendall cites data theft as the primary goal of emerging mobilethreats and lists several scenarios already happening and expectedto continue, including: Implementing a strong mobile securityn Exploiting a mobile browser vulnerability to get a remote shell program focused on encapsulation. that enables the attacker to remotely run commands on the As smartphones and tablet devices continue to blur the lines phone OS. between the professional and the personal, global corporationsn Compound threats that use SMS, e-mail and the mobile Web such as Equifax (NYSE: EFX), one of the largest and most diverse browser to launch an attack, then silently record and steal data. sources of consumer and commercial data, are implementing stron- ger security policies around mobile devices. “When it comes to mobile security, our approach is based onThreats targeting Android and iOS are on encapsulation. It enables us to establish well-defined boundar-the rise. ies and balance user productivity with security needs,” said TonyGunter Ollmann, vice president of research for Damballa notes Spinelli, senior vice president and Chief Security Officer of Equifax.that malware targeting mobile devices is constantly evolving. “The “After dedicating significant time and resources to select a mobileZeus-in-the-Mobile (ZitMo) and several other examples of Android phone management platform, we launched a pilot program tomalware are acting more like traditional bots by communicating ensure complete encapsulation of mobile devices for more thanwith a command-and-control (C2) architecture,” says Ollmann. 6,500 employees across the U.S. and 15 other countries.”“This marks an evolution beyond premium rate fraud and othertactics that do not rely on C2, and makes mobile devices as suscep- Using this approach, Equifax encapsulates and encrypts the cor-tible to criminal breach activity as desktops.” porate portion of an employee’s smartphone, and can quickly and remotely address a device that is compromised in any way. “WeThe ZitMo attack targeted Android users in an attempt to defeat take a layered, holistic approach to security that includes multiplebanking two-factor authentication, steal credentials, and ultimately levels of defense,” said Spinelli. “Despite their rapid consumeriza-money, from users’ bank accounts. Comprised of blended tech- tion, mobile devices are no exception.”niques, this Trojan-based attack involves phishing, social engi-neering, intercepting SMS messages and sending authentication Spinelli concluded, “As mobile devices become an increasinglycredentials to a remote server. attractive target in the integrated economy, it is critical for orga- nizations to adopt a multi-faceted strategy that leverages the rightDmitri Alperovitch, independent security expert and former vice combination of security best practices with business technologypresident of Threat Research at McAfee is also watching the mobile requirements.”space closely. “We’re already seeing an explosion of threatstargeting Android and the iOS platform,” he said. “These deviceswill become major targets in the months ahead and are providing Academic research servesanother avenue for data theft.” a marketplace needAlperovitch continued, “Mobile phones represent a physical part Founded in research efforts at Georgia Tech, Pindropof your identity. They know and can share your location, can take Security is a telecommunication start-up that is restoringphotos and record videos. Just think of the potential for data theft if security for aspects of telephony. Long viewed as a trustedan attacker could remotely control these devices. With remote con- medium, telephony is used by companies and individuals totrol of a CEO’s mobile phone, an advanced persistent adversary conduct important transactions. But Caller-ID and Automaticcould activate the microphone to record private negotiations.” Number Identification can be easily manipulated leaving telephony transactions vulnerable to attack. Pindrop SecurityOn the bright side, the same mobile device features could be used to offers a unique Caller-ID technology that authenticates callersenhance security. Dan Schutzer, CTO of BITS, the technology policy through the “fingerprint” of the phone call, making financialdivision of The Financial Services Roundtable, believes that mobile and other transactions over the phone more secure.devices are more naturally suited to biometric security measures.4 GEORGIA TECH CYBER SECURITY SUMMIT 2011

5.
Mobile devices—a new vector for attackingthe network and critical systems.One source in private industry that requested anonymity worriesthat mobile phones will be a new on-ramp to planting malware onmore secure devices. “Let’s say you’ve secured a process controlsystem within a nuclear facility and there’s no direct connectionbetween that system and the corporate network,” he said. “Evenwith such security measures in place, someone who just needs tocharge his phone can introduce malware as soon as it’s pluggedinto a computer within that location.”While USB flash drives have long been recognized for their abilityto spread malware, mobile phones are becoming a new vector thatcould introduce attacks on otherwise-protected systems. “A phoneis also a storage device,” notes the industry insider. “I can see asophisticated attacker writing code to exploit wireless connectivitytechnology that subsequently plants malware on a mobile phone.Now that phone is programmed to install a dangerous payload assoon as it connects to a targeted system.” Mobile browser security research efforts at Georgia Tech Georgia Tech researchers are working closely with nine mobile browser manufacturers to understand the differences between mobile and desktop browsers and the resulting security implications. Research efforts also include security reviews of nine mobile browsers to identify and remediate vulnerabilities that could lead to successful compromise. E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 5

6.
Botnets—the evolving nature of adversaries, tactics,techniques and procedures their stolen data” said Ollmann. “There’s serious money involvedHighlights: and a highly competitive underground marketplace. You can findn Botnet controllers build massive information profiles on their hundreds of do-it-yourself botnet kits online, along with YouTube compromised users and sell the data to the highest bidder. instructional videos, competitive reviews of the botnet tools, ads sponsored by DIY constructors, tutorials and more. It has all then Advanced persistent adversaries query botnet operators in trappings of a legitimate sector of the software space.” search of already compromised machines belonging to their attack targets.n Bad guys will borrow techniques from Black Hat SEO Advanced persistent adversaries leverage to deceive current botnet defenses like dynamic botnets to find entry points. reputation systems. Researchers expect large-scale botnets and targeted, persistent attacks to share more common ground in the future as well. According to Georgia Tech Professor Wenke Lee, “Targeted attacksWhile botnets have plagued the Internet for some time, their usage against a specific organization used to be perceived as isolated.in advanced persistent threats is evolving, as are the tactics, But now we have evidence that some of these targeted attacks havetechniques and procedures for command and control. Today, roots in common botnets.”attacks are much more federated and the malware agents infectingdevices are tuned for a particular operating system. That means When an operator creates a large-scale botnet, they have vari-the command and control infrastructure for the entire botnet can ous options for monetizing the investment. In the past, the highestremain the same and still communicate with bots across different bidders needed the computational power to send vast amounts ofoperating systems. spam or conduct a denial of service attack. But now, advanced persistent adversaries query botnet operators to identify compro- mised machines belonging to the company or organization in their crosshairs. The adversary may ask the botnet operator if heBotnet controllers build massive information can run some queries against the machines to determine the OS,profiles which may become part of legitimate applications running, type of function they perform, etc. to gatherlead generation efforts. information for creating a targeted, stealthy attack with the end“Three or more years ago, botnet operators focused on stealing goal of data theft. In many cases, adversaries will pay top dollaremail and password credentials, which were useful to spammers,” for the information, providing a new and extremely lucrative sourcesaid Gunter Ollmann, vice president of research for Damballa. of revenue for botnet operators.“Now botnet controllers are building massive profiles on theirusers, including name, address, age, sex, financial worth, relation- Infrastructure and information sharing will also occur more regularlyships, where they visit online, etc. They sell this information, where between botnet operators and other malicious actors. For example,it ultimately finds its way into legitimate lead generation channels.” a bot master can lend or sell his malware/bot program to another attacker that wants to compromise the same machine for a differentSites will buy the information stolen via botnets in bulk. The infor- purpose. Often this requires just a small variation or extension of themation may exchange hands for money several times. And eventu- original bot program, and may use part of the same command andally, a legitimate business may pay for the information for lead control infrastructure. The same theory works in reverse as a mali-generation purposes, not realizing that it has been stolen. In some cious actor can sell a successful targeted exploit to a bot operator.cases, a company might pay $20 -$30 for a qualified lead. Botnetscan also play a role in auto-filling forms online that are used tocompile lists for marketing purposes. The botnets already have all Botnet command and control architecturethe personal information necessary to fill out the forms, and botnet is becoming decentralized.operators can devise an automated process resulting in a sophisti-cated fraud scam that is difficult to detect and prosecute. While botnets are still responsible for some of the largest DDoS attacks to date (generating > 100 Gbps of traffic), security experts“The botnet scams are still big business, and operators are com- will focus on evolution of botnet command and control architectureing up with more elaborate fraud systems to increase the value of in the year ahead.6 GEORGIA TECH CYBER SECURITY SUMMIT 2011

7.
“I think the evolution of botnets has more to do with the Command to a pay-per-install company in the criminal ecosystem to infect asand Control (C2) architecture than the size of the attacks being many machines as possible. To increase its own profits, the pay-launched,” said Barry Hensley, director of the Counter Threat Unit/ per-install company will attempt to install more than one piece ofResearch Group at Dell SecureWorks. “We are starting to see a malware. As a result, Damballa found that more than 40 percent ofdecentralized C2 architecture, namely Peer-to-Peer. Since IRC and compromised devices have two or more external entities control-HTTP C2 infrastructure still work well for bot operators, P2P is not ling them. “This makes remediation difficult as users may receiveyet widely implemented. Once the security space starts making an varying advice for cleaning up their machines based on the type ofimpact and decreasing the effectiveness of those two protocols, malware,” said Ollmann.we’ll start to see botnet operators shift toward P2P and DNS. Untilthen, they’ll just use what works.”Increased botnet take-downs and 64-bitcomputing can help.On the positive front, botnet take-downs appear to be more com-mon. “These efforts represent an evolution in the security commu-nity,” said Paul Royal, research scientist at Georgia Tech. “As highlymotivated security professionals come together for a common cause,we expect to see more take-downs in the year ahead.”Royal also cites the identification and arrest of malware authors as apositive step in combatting the problem. “Taking away the criminalunderground’s human capital can be very effective,” said Royal.“However, the security community is facing new ethical concernsrelated to take-downs that may threaten collaboration.”Royal referred to the trust required to share information about com-promised machines when part of concerted take-down operations.“Unfortunately, some organizations will take defensive informationgathered as part of take-down efforts and turn it into offensive infor-mation about compromised machines, which can be sold or sharedwith interested parties. This practice may discourage some individu-als from participating in take-down efforts moving forward.”Royal does see some promising security advantages for combattingbotnets inherent in the transition from 32-bit to 64-bit computing. “DataExecution Prevention (DEP) and Address Space Layout Randomization(ASLR) are both good for battling exploits, and both are better utilizedwith 64-bit computing,” he said. “DEP stops what should be data fromexecuting as code. And even if malicious code is downloaded, ASLRmakes it harder for threats to reach the final stage.”But the security community is still up against a serious threat when itcomes to botnets. “Present defenses involve blacklisting IP addresses,Web filtering techniques and dynamic reputation systems,” saidOllmann. “A new battle front is opening up, and the bad guys willborrow techniques from Black Hat SEO to deceive dynamic repu-tation systems, similar to how they are subverting page rankingtechniques used by search engines.”Pay-per-install malware will also continue to plague users. In this sce-nario, bot agent malware is developed. Then the creator subscribes E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 7

8.
Controlling Information Online—a new frontierin information security Malicious actors try to influence searchHighlights: engine algorithms for their own benefit.n Security researchers are currently debating whether person- According to Greg Conti, associate professor of computer science alization online could become a form of censorship. at West Point, in the digital age, propaganda and censorship have become automated processes. He suggests applying critical ques-n Attackers are performing search engine optimization to tions to information online, including: help their malicious sites rank highly in search results.n The trend in compromised certificate authorities exposes n Who controls the flow? numerous weaknesses in the overall trust model for n Who can alter the flow? the Internet. n Who restricts consumption? n Is there surveillance? n Is there the perception of surveillance?The control of information delivered to online users continues to “The original idea of browsing the Web from site to site without abe a complex security challenge. “In addition to trust and privacy, global search capability didn’t scale,” said Conti. “Now we havethe lack of transparency concerning how governments and Internet search engines like Google with tremendous control over the flowService Providers (ISPs) prioritize traffic is a serious threat,” said of information. Actors are trying to influence the largely neutralNick Feamster, associate professor in the College of Computing at search engine algorithms for their own benefit using search engineGeorgia Tech. Feamster studies Internet-based control of information optimization and search poisoning techniques.”along a spectrum, ranging from overt blocking of content, to mali-cious manipulation, to selective censorship and filtering, to attempts While search poisoning has been around for years, it is still anto manipulate Internet performance at the ISP level. effective technique for launching malware. In a recent 2011 cam- paign, increasing numbers of Google image search results were“When performance is degraded, a service is unavailable, or infor- poisoned, redirecting users either to an exploit kit or rogue AVmation is inaccessible, it is difficult for users to determine whether sites. Attackers compromised large numbers of legitimate sites andthe root cause is an unintentional performance issue or overt censor- users had only to click on thumbnail images to launch the exploit.ship,” said Feamster. “Even examples that seem fairly innocuouscan have serious impacts when it comes to opinion shaping and “The online world obfuscates where information comes from andspreading misinformation.” provides ample opportunity to manipulate information before a user receives it,” said Wenke Lee, professor in the College of Computing at Georgia Tech. “Search poisoning and index poison- ing are just two examples of attackers taking advantage of thisDoes personalization online present a risk? situation to launch malware.”Security researchers are currently debating whether personaliza-tion online could become a form of censorship. Websites, news In a typical search poisoning scenario, a user searches a term thenmedia sites, social networking sites and advertisers are all sharing clicks a particular link from among the search results. They arepersonal data about individuals with the goal of more effectively redirected multiple times and eventually land on a page with no rel-targeting information for those individuals. For example, a news evance to the original search, which is used as a vector to delivermedia website might highlight several articles under the heading malware. Attackers are doing their own search engine optimization“Recommended for You” based on age, ethnicity, location, profes- to try to get their malicious sites to rank highly in search results.sion and items searched previously. If a user only received news Malicious sites are also getting better at hiding their bad payloadsunder this heading, it could be limiting. The same principle holds from the search engine crawlers. If they detect a crawler, they willfor search engines that filter results according to algorithms that present a clean Web page to remain undetected.factor a user’s personal information.“You may have the impression that search engines are neutral con-duits, but the results you receive could present a restricted world-view,” said Feamster. “In the case of search filtering, most users arecompletely unaware and have no method to widen search resultsbeyond what the engine supplies.”8 GEORGIA TECH CYBER SECURITY SUMMIT 2011

9.
Combination attacks affecting DNS service In addition to new sophisticated Domain Name System (DNS) andproviders and certificate authorities are certificate authority-based threats, Hensley noted several recentespecially dangerous. examples of Distributed Denial of Service (DDoS) attacks andWith the goal of controlling and monitoring information (as well as nation-state sponsored actions that prevented access to informationstealing data), hackers will develop combination attacks that affect online, including:DNS service providers and compromise certificate authorities. n Large-scale protests coordinated via social media in Libya, Iran,These sophisticated, effective threats will be increasingly difficult Bahrain, Algeria, Jordan, Yemen and Egypt, causing nation-statesto detect and will obviate the need for attackers to place a “man to disrupt Internet service or drop from the Internet entirely.1in the middle.” Even security-conscious users will not be able totell if they are on a malicious site if DNS provisioning systems are n DDoS attacks against various South Korean government andcompromised. And if stolen certificate authorities are employed, business sites.2attackers can create fake banking applications and more to control n DDoS attacks against various Burmese government oppositionaccess to information, steal personal data and money. sites mark third anniversary of Saffron Revolution.3Barry Hensley, director of the Counter Threat Unit at DellSecureWorks, cites the 2011 DigiNotar Certificate Authority (CA) While the techniques used to mount these attacks are not new,breach as a manipulation of security controls with the intent of security researchers expect the Internet and control of informa-controlling and monitoring private citizens’ information. In the case tion online to be a pawn in future conflicts. According to Hensley,of DigiNotar, a hacker going by the handle of “COMODOHacker” “Over the past year, hacktivism has been center stage. SQLseized control of CA servers, created fraudulent certificates and used injection and DDoS attacks continue to be the tools of choice forthem to execute “man-in-the-middle” attacks against hundreds of thou- these groups, many of whom are masters at disinformation and thesands of victims. The scheme enabled the hacker to access Iranian creation of alternative profiles and groups.”Gmail users’ messages and monitor much of their Internet traffic. Recent Internet-driven protests in Libya and Egypt also suggest that“The recent DigiNotar breach associated with a compromised cer- disinformation could play a bigger role in future political conflicts.tificate authority had the ultimate goal of controlling and monitoringinformation,” said Hensley. “The trend in compromised certificateauthorities exposes numerous weaknesses in the overall trust modelfor the Internet, especially considering the only remediation to theDigiNotar breach was to revoke all compromised certificates.” Attempts to understand the effects of search engine filtering and personalization Researchers at Georgia Tech are currently studying the effects of personalization online search filtering. As part of this research, security experts are attempting to build an infrastructure that will provide a normalized, aggregated view of search results with all personalization for the user stripped out.1 Source: http://www.nytimes.com/2010/02/11/world/middleeast/11tehran.html; http://www.zdnet.com/blog/igeneration/egypt-shuts-down-internet-amid-further-protests- facebook-web-traffic-drops/7915; http://www.telegraph.co.uk/news/worldnews/africaandindianocean/algeria/8320772/Algeria-tried-to-block-internet-and-Facebook-as- protest-mounted.html2 Source: http://www.infosecurity-us.com/view/16387/south-korean-government-agencies-hit-by-ddos-attacks/3 Source: http://www.movements.org/blog/entry/cyber-attacks-cripple-independent-burmese-media-sites/ E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 9

10.
Advanced Persistent Threats and the Intersection of Cyber Threats with Physical and Critical Infrastructure “Operation Aurora, Night Dragon and Shady Rat are all examples Highlights: of critical industries being victimized by targeted, persistent cyber n Advanced persistent threats will adapt to security measures attacks,” said Dmitri Alperovitch, independent security expert. “The until malicious objectives are achieved. adversaries behind these attacks were able to exfiltrate design sche- matics and sensitive field negotiations for new oil and gas explora- n Human error, lack of user education and weak passwords tion. These represent a company’s crown jewels and their exposure are still major vulnerabilities. has strongly impacted CEO and CIO perspectives on security.” n Cloud computing and computer hardware may present new avenues of attack, with all malware moving down the stack. Alperovitch described what’s involved in creating sophisticated threats like Stuxnet, “These threats are strategic in nature,” he n Large, flat networks with perimeter defenses at the Internet said. “They require a high level of sophistication far beyond the ingress/egress point break down quickly in the face of rudimentary skills of hacktivists. Since the goal is to remain covert, advanced persistent threats. they must involve a lot of testing resources to obfuscate the source of the attack.” Last year’s Stuxnet worm is the most publicized example of an advanced persistent cyber threat adversely impacting a physical A single APT exploitation can plague an system. But security researchers agree that cyber industrial warfare organization for months or even years. is the wave of the future—driven by advanced persistent adversar- ies and well-funded nation states. But attack sophistication largely depends on the security of the selected target. If an attack on critical infrastructure or corporate data theft can be accomplished via traditional phishing and com- mon exploit kits, adversaries will not use advanced techniques. The The advanced persistent threat—not a what, term, “advanced persistent threat” is also misused or confused with but a who? Hacktivists attempting to change industry or government behavior “The Advanced Persistent Threat (APT) buzzword has become the via organized cyber activity—typically denial-of-service campaigns most overused and misunderstood acronym in the IT security com- or the posting of compromised sensitive data designed to publicly munity” said Barry Hensley, Director of the Counter Threat Unit/ embarrass an organization or cripple operations. Research Group for Dell SecureWorks. “An APT is not characterized by the sophistication of an adversary’s malware. Rather, it pertains “The tools, procedures and other controls used to defend commod- to the threat actor’s determination and the resources he is willing to ity security threats are often ineffective against targeted APTs,” said expend to achieve his objectives. It’s not a what, but a who?” Hensley. “When actors are focused on a specific target, they custom- ize and adapt their tactics, techniques and procedures to predict and “When a person or group has the required cognitive abilities and circumvent security controls and standard incident responses.” resources at their disposal, and applies them with the singular aim of obtaining intellectual property, intelligence or personally identifi- According to Hensley, an organization can be plagued by a single able information, it changes the game,” said Hensley. “It means the APT exploitation for months or years—even after it is aware of the threat can and will adapt to your security posture until its objectives effort. The incident response drags on as threat actors continually are achieved or the cost of the operation outweighs the perceived respond to defensive measures and look for new security weak- value of the target.” nesses. “Advanced persistent actors have clear objectives with cen- tralized planning and often decentralized execution,” said Hensley. While governments are important targets for espionage and intelli- “These adversaries are highly resourced, methodical, adaptive, gence gathering, computer systems, corporations and critical infra- resilient, advanced enough and clearly patient.” structure are also attractive, high-value targets. Some nation-state sponsored attacks are targeting corporations specifically for their intellectual property, sensitive business negotiations and national security designs and technology.10 GEORGIA TECH CYBER SECURITY SUMMIT 2011

11.
Users continue to be a common and the supply chain from beginning to end,” said Andrew Howard,hard-to-remediate weak point in security. research scientist at GTRI. “20 years ago when power stationsWith such high stakes, critical infrastructure must remain highly weren’t IP-enabled, that may have been less of a concern. But nowalert with multiple layers of defense and constant user education. that we’re phasing out legacy hardware for newer equipment that“In the military, you’re taught that in a defensive position, you is connected to the Internet, it could open up a vulnerability tohave a three-to-one advantage over an attacker,” said Greg Conti, something like Stuxnet.”associate professor of computer science at West Point. “But insecurity, it’s the opposite. The attacker has nearly a thousand-to-one While critical infrastructure threats most often conjure images of anadvantage. We have to assume that a determined adversary can attack on the power grid, GTRI and other security experts note thatovercome the defender, it is just a matter of how long it will take.” the financial infrastructure is also an attractive target, particularly for advanced persistent adversaries. As society continues to moveUnfortunately, end users tend to be the most common and hard-to- away from cash, an attack on the credit card exchange systemremediate weak point, and even security researchers struggle to could cause a panic and erode trust in the financial system.address the problem. “You can’t patch users,” said Conti. “Andthere’s always a human being somewhere behind the securitytechnology.” Experts believe the cyber vector is a new force multiplier in nation-state conflicts.One source working in critical infrastructure agrees, “People arealways the most vulnerable part of the IT infrastructure,” he said. Experts agree that a cyber conflict with physical ramifications out-“We have so many security layers and defenses, from separating side of a traditional kinetic conflict is unlikely. But they also believephysical control systems from the standard business network, to the cyber vector is a new force multiplier in nation-state conflicts.DMZs, to limiting network protocols that communicate with physical Whether APTs are targeting infrastructure, corporations or govern-systems, and securing all the primary UIs to the Internet. At the end ments, there is a strong need for public/private collaboration toof the day, there’s a person on the end of all that security that can improve security.make decisions that will have an impact.” CONTINUED ON NEXT PAGEThe cloud complicates traditional GTRI leads implementation of thesecurity defenses. Homeland Open Security Technology (HOST) programSome of the other concerns surrounding emerging threats to criticalinfrastructure and business in general include the move to cloud com- The U.S. Department of Homeland Security (DHS) Scienceputing, the transition from IPv4 to IPv6, computing monocultures and and Technology (S&T) Directorate named the Georgia Techhardware supply chains. Cloud computing is still relatively ill-defined Research Institute (GTRI) to lead implementation efforts for theyet highly complex, presenting a giant target for adversaries. five-year, $10 million Homeland Open Security Technology (HOST) program. The HOST program investigates open“The cloud complicates today’s traditional defensive techniques,” source and open cyber security methods, models and tech-said Hensley. “A threat actor could build infrastructure in the nologies to identify viable and sustainable approaches thatcloud using highly available on-line developer tools, then use it to support national cyber security objectives.command-and-control exploited computers by hiding in what wethought was benign traffic.” “The collaborative nature of open source and open technolo- gies provide unique technical and economic value, andComputer hardware may be another frontier for emerging threats. opportunities for government users,” said Joshua Davis,“We’re seeing a current trend with all malware moving down the associate division head at GTRI’s Cyber Technology andstack,” said Alperovitch. “Threats are becoming embedded in Information Security Laboratory and principal investigator forhardware. There are threats that modify the basic input/output the HOST program.system (BIOS), embed themselves in firmware and persist outsidethe operating system. We will need new hardware and software GTRI is leading HOST efforts in conjunction with the Openapproaches to combat this problem.” Technology Research Consortium (OTRC), a collaborative network of leading academic research institutions, industryResearchers with the Georgia Tech Research Institute (GTRI) agree partners and open source community organizations that workthat the hardware supply chain presents a risk. “No one controls to promote the advancement of open source software adop- tion within government agencies. E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 11